使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Limit IAM Identity Center Users to defined Region

0

Requirement

I have been able to set up IAM Identity Center and provide log-in credentials for access to AWS services (let's use S3 as an example), however, I'd like to limit any console access to this service to a single region to isolate some user's workspace from other's.

Attempted Config

I created the following IAM policy named RegionRestrict then imported it into IAM Identity Center when mapping a user to an AWS Organizations account. I referred to a few guides and found that the Condition shared in this guide https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/ only applies to API requests (and not console access), thus I ended up using ec2:Region instead of the global region flag.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ec2:Region": "us-east-1"
                }
            }
        }
    ]
}

Issues

When assigning a Permissions set to a user, I receive the following error:

1 of 1 failed to be configured.
You can retry submitting them, or you can leave the page and the failed assignments won’t be submitted.

 Assign user "permission-test" to AWS account "permissions-test" with permission set "RegionRestrict"

Received a 404 status error: Not supported policy arn:aws:iam::############:policy/RegionRestrict.
主题
安全、身份和合规性
标签
AWS 身份和访问权限管理AWS IAM 身份中心IAM 策略
语言
English
SuperCoolAlan
已提问 1 年前1844 查看次数
2 回答
1

To attach a customer-managed policy to a permission set, you need to first create the policy with the same name in all of the accounts to which the permission set will be attached.

Delena Malan
已回答 9 个月前
0
已接受的回答

For IAM Identity Center, you'll want to create Permission Sets which are templates that define the policies users will receive. You should also look at aws:RequestedRegion for a relevant context key to use in policies.

The API permissions apply to both console and programmatic access, however the key you're using is an EC2 one so it wouldn't necessarily apply to all services.

BTW, you might want to look at Service Control Policies if these users are logging in to linked accounts, there a very relevant example in the docs.

AWS
专家
Raphael
已回答 1 年前
profile picture
专家
Giovanni Lauria
已审核 1 个月前
  • SuperCoolAlan
    1 年前

    Thank you for the details here. I'll take a deeper look at Service Control Policies, as this seems to be an intended use case for AWS Organizations (I am new to this tool, as well).

    For clarity's sake, I want to note that I had created the Permission Set as a requirement of the process and tied the IAM policy RegionRestrict to it, and this is the Permission Set I attempted to attach to each User that resulted in error.

  • SuperCoolAlan
    1 年前

    I solved this by applying a Service Control Policy to my AWS Organization rather than via the IAM Identity Center. Thanks for your help!

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容